MacEwan University Phishing Scam: A Cautionary Tale

The Canadian university was defrauded $11.8M as a result of an elaborate phishing scam

A university in Edmonton fell victim to a phishing scam that cost it nearly $12-million. MacEwan University discovered on August 23rd that it had been bilked out of 11.8 million dollars after its staff failed to verify the legitimacy of emails, purportedly from a construction partner, that requested a change in banking information.

Here’s what happened: MacEwan University received an email that appeared to be from a vendor, a construction company called Clark Builders, requesting a change in their payment arrangement. Without verifying the email, it appears that representatives of MacEwan complied, and made three payments totaling $11.8-million to accounts in Montreal and Hong Kong.

The school discovered the mistake when the real construction company reached out to inquire about why it hadn’t been paid.

Upon further investigation, it appears that as many as 14 construction firms around the Edmonton area were targeted.

Per MacEwan spokesman, David Beharry:

“The fraudsters produced these fake domains about these 14 organizations. The organizations would not have any knowledge that somebody is phishing.”

So to summarize, hackers were able to defraud a Canadian university of almost $12-million dollars by pretending to be a construction company, building a fake website and constructing a convincing email.

MacEwan University is working with authorities in Canada and China to recover the lost funds, but this entire incident also works as a cautionary tale on a couple of levels. And as a security company that has considerable insight on phishing, we felt it’s worth discussing some of the biggest takeaways.

Don’t Laugh, It’s Easy to Get Phished

The first, and perhaps most important takeaway is just how easy it is to fall victim to one of these scams. It’s embarrassing, but MacEwan isn’t first company or organization (or institution in this case) to get phished. It won’t be the last. And it’s not like the school was trying to make this mistake.

It’s just, at this level, the school didn’t even have a policy in place for this kind of thing. It was reportedly three low-level employees that were presented with a convincing email and a spoofed website, that assumed everything was legitimate.

“A domain site with the authentic logo was sent… The individual asked us to change banking information from the vendor. That information was changed.”

Phishing is an incredibly sophisticated practice, it requires a great deal of social engineering coupled with a little bit of ingenuity. Be honest, ‘hackers might be impersonating our construction partner’ is not a thought that’s likely to flit across a low-level employee’s mind. Far less likely than the thought that a delay in payment could mean a delay in a key project.

So when presented with a convincing spoof website, it’s an understandable mistake. Add in the fact that many phishing websites are now using SSL certificates (which can be obtained for free) to make their sites look more convincing, and it’s easy to see how this happened.

Which brings us to our first key takeaway:

Takeaway One: Establish a company policy for verifying emails and payment portals before taking action.

Obviously, this can be expanded on, but at the very least make sure you’re defining clear policies with regard to authentication. As you can see, failing to do so can cost you dearly.

This Can Happen to Anyone

I’m sure there are 14 construction business owners in Edmonton who never dreamt that hackers were targeting them by building fake websites and phishing their potential customers. But this just goes to show you that phishing can happen to anyone, regardless of industry.

And give credit where it’s due, this is a fairly ingenious scam. Construction companies oftentimes run brochure-style websites that aren’t given considerable attention or regular updates. They make good targets for phishing. The size of their contracts is also attractive. This was a well-executed attack.

But Clark Builders doesn’t do its customers any favors by not having SSL enabled on its homepage. When you arrive at Clark Builders’ website, you’re making an unencrypted connection. To the company’s credit, its sub-contractors website is encrypted, but on its home page Clark Builders is missing an opportunity to leverage the authentication that SSL provides. At this point, using SSL is just a best practice, but Clark Builders could also be giving customers some verified information if it were to use an OV or EV certificate.

Now, I’m not pretending SSL would have prevented this. Not at all. Authentication is not a cure-all, that’s not the point I’m trying to make. But I will say, in this instance, authentication could have potentially helped. To what degree, who knows. But not having it certainly didn’t do anything to prevent MacEwan from getting phished.

Again, that’s a minor squabble. And Clark Builders isn’t to blame for this—it’s a victim here, too. But that does bring us to our second takeaway.

Takeaway Two: The best way to protect your customers from phishing is to make sure they know how to tell when it’s really you. They have to trust they’re at the right place.

There’s no surefire way to prevent someone from getting phished. With enough innovation, anyone can be made vulnerable. But you can help give your customers some peace of mind by ensuring they know when they are at the right place. Things like Extended Validation, site seals and user education are all beneficial to helping your customers authenticate you.

Let’s Wrap This Up

What happened to MacEwan University could have happened anywhere. It was a well thought out phishing scam that worked exactly as it was intended to. Blaming people is frankly unproductive.

Rather, this story should be used for educational purposes. We can learn a lot from it—about how to be more vigilant and that anyone can be a target.

It might seem like something to laugh at, but it’s also a reason to reflect on our own policies and practices. This could happen to anyone.

What We Hashed Out (For the Skimmers)

For those that like to skim, here are the key takeaways from today’s conversation:

MacEwan University was defrauded $11.8-million after falling for a phishing scam in which hackers impersonated the school’s construction partner.

MacEwan didn’t have a policy in place for verifying the authenticity of the request, instead three low-level employees complied with what appeared to be a legitimate communication.

Don’t Get Phished.

Email is the most commonly exploited attack vector, costing organizations millions annually. And for SMBs, the damage can prove fatal: 60% fold within 6 months of falling victim to a cyber attack. Don’t be one of them.

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.